Main navigation

Consolation 2.3 released to improve search predicate support

Version 2.3 of Consolation addresses a number of issues in the log show command which it uses to obtain log extracts. These work around bugs and gaps in the documentation of log show, and bugs in the handling of predicates by log show. This new version also has an updated Help book which reflects these improvements.

In particular, these fixes allow users to employ search predicates which use messageType and eventType patterns. Previous versions were unable to deliver any results using those because of syntax limitations in log show. However, these changes to the formation of predicates should make the results of all filters/searches significantly more reliable.

The latest release is available from Downloads above.

I am very grateful to @JPoForenso who provided essential information on some details of these predicates, which enabled me to solve these multiple issues.

One issue which has been raised is that of reading tracev3 log files. Currently, Consolation is only able to read log files which conform to the requirements of the log command. These include the live system log on the Mac on which you are running Consolation (the default), and logarchive bundles generated by log or Consolation. They could also include .tracev3 files (this is not yet implemented in Consolation), but Apple limits those to files which are contained within a valid logarchive bundle. As that requires a logarchive bundle, I do not currently intend adding that feature to Consolation.

Some users, particularly those engaged in forensic analysis, want to be able to analyse any tracev3 file, including those not part of a logarchive bundle. As Apple does not document the tracev3 format, and no one appears to have been able to break into it, that doesn’t currently appear possible, I’m afraid.